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Abstract 

In  this  technical  report,  we  present  a  static  and  dynamic  semantics  as  well  as  a  proof  of  soundness 
for  a  programming  language  presented  in  the  paper  entitled,  Verifying  Correct  Usage  of  Atomic 
Blocks  and  Type  state  [1].  The  proof  of  soundness  consists  of  a  proof  of  preservation,  which  shows 
that  well-typed  expressions  evaluate  to  other  well-typed  expressions,  and  a  proof  of  progress, 
which  shows  that  well-typed  expressions  are  either  values  or  can  take  an  evaluation  step  in  the 
dynamic  semantics.  The  notion  of  progress  is  complicated  by  a  specific  notion  of  a  well-typed 
heap,  which  ensures  that  only  one  reference  in  the  entire  thread-pool  can  know  the  exact  state  of 
an  object  of  share  or  pure  permission. 


1  Proof  of  Soundness 


Our  soundness  criterion  is  as  follows:  It  is  either  the  case  that  all  of  the  threads  in  a  program  are 
values,  or  their  exists  one  thread  such  that  the  expression  this  thread  is  evaluating  is  well-typed 
and  can  take  a  step  to  another  well-typed  expression.  If  one  of  the  threads  in  the  thread-pool  is 
currently  executing  within  a  transaction,  then  that  thread  must  step,  and  if  no  threads  in  the  thread- 
pool  are  currently  executing  within  a  transaction,  then  any  threads  that  is  not  a  value  must  be  able 
to  step.  The  dynamic  semantics  track  typestate,  and  there  is  no  evaluation  rule  to  allow  a  method 
call  if  method  preconditions  are  not  met.  In  order  to  prove  that  method  preconditions  are  always 
met  for  well-typed  programs,  our  store  typing  judgment  requires  the  invariant  that  only  one  thread 
can  pinpoint  the  state  of  a  share  or  pure  object  at  a  time. 

The  language  of  proof  differs  from  the  language  used  in  the  paper  in  a  few  ways.  We  have 
restored  the  original  effects  system  used  by  Bierhoff  and  Aldrich  [2].  This  system  was  removed 
from  the  paper  for  purposes  of  clarity.  The  effects  system  keeps  track  of  the  fields  that  are  modified 
in  a  subexpression  to  ensure  that  only  the  fields  of  the  unpacked  object  are  modified,  and  no  field 
permissions  “escape”  beyond  the  packing  of  that  object.  Otherwise,  our  proof  language  resembles 
their  proof  language  in  most  ways.  As  it  was  for  Bierhoff  and  Aldrich,  we  have  simplified  the 
language  of  proof  by  removing  linear  disjunction  (©)  and  additive  conjunction  (  &  ).  In  the  paper, 
an  object  is  known  to  be  unpacked  if  there  is  an  unpacked(A;,  s)  permission  inside  of  the  linear 
context.  In  the  system  shown  here,  we  use  a  separate  context  u.  One  u  appears  on  the  left-hand  side 
of  the  judgment.  This  shows  us  which  object  is  unpacked  before  the  expression  takes  an  evaluation 
step.  The  other  u  appears  on  the  right-hand  side,  and  shows  us  which  object  is  unpacked  after  the 
expression  has  finished  an  evaluation  step. 

For  the  majority  of  the  proof,  things  proceed  much  as  they  did  in  the  proof  of  soundness  pre¬ 
sented  by  Bierhoff  and  Aldrich  [2]  with  many  of  the  multi-threaded  features  coming  from  Moore 
and  Grossman  [3].  Our  system  is  different  in  a  few  ways.  In  Bierhoff  and  Aldrich  the  stack  per¬ 
missions,  that  is  the  dynamic  representation  of  permissions  that  are  currently  available  for  use  by 
the  evaluating  expression,  were  actually  stored  inside  the  heap.  Because  we  have  many  threads, 
we  have  a  separate  environment  Sp  attached  to  each  thread  expression  which  holds  these  stack  per¬ 
missions.  Additionally,  when  typing  a  pool  of  threads,  T  (essentially  a  list  of  expressions  and  their 
stack  permissions),  we  associate  each  with  their  own  linear  context  A  and  incoming  unpacking  flag 
u.  We  often  must  refer  to  the  entire  collection  of  linear  contexts  and  packing  flags,  and  this  will 
usually  be  written  A  and  u.  Keep  in  mind  that  each  linear  context  and  unpacking  flag  is  associated 
with  one  specific  thread.  This  would  most  accurately  be  written  as  a  list  of  tuples  except  that  our 
A  and  u  usually  appear  on  the  left-hand  side  of  the  rule,  while  the  thread  itself  will  appear  on  the 
right-hand  side,  and  so  treating  them  as  a  tuple  would  be  notationally  awkward. 

When  type-checking  the  top-level  thread  pool,  the  members  of  A  and  u  are  tagged  with  an 
additional  bit  of  information,  and  are  written  A^  and  .  At  most  one  A  and  u  pair  are  allowed 
to  contain  specific  state  information  about  pure  and  share  permissions.  If  this  is  the  case,  that  A 
and  u  will  be  tagged  with  wt,  whereas  others  may  not  be.  The  fact  that  at  most  one  linear  context 
and  unpacking  flag  is  allowed  to  contain  state  information  about  share  and  pure  permissions  is 
checked  by  the  a;  (A^,  u^)  ok  judgment. 
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1.1  Proof  Language 


program 

PG 

;  = 

(CL,e) 

class  deals. 

CL  : 

;  = 

class  C  {F  I  N  M} 

methods 

M  : 

;  = 

Cr  m{C  x)  ■.  Pi  ^  ^result  :  Cr.P2  =  e 

terms 

t  : 

;  = 

x,y,z\o 

expressions 

e 

;  = 

k  ■  t  \  k  ■  t.f  \  ti-f  :=  k  ■  t2 

1 

new  C{k  ■  t)  \  k  ■  t.m{k  ■  t) 

1 

inatomic  (e) 

1 

let  a;  =  Cl  in  62 

1 

spawn  {k  ■  t.m{k  ■  t))  atomic  e 

1 

unpack^-Zc  ■  t@s  in  e  pack  t  to  s'  in 

expression  types 

E  : 

;  = 

3a;  :  C.P 

I  : 

;  = 

init(3/  ;  C.P,s) 

atomic 

8  : 

;  = 

wt  ot  emp 

states 

S  : 

;  = 

s  unpacked(A;)  unpacked(s) 

Predicates 

P  : 

;  = 

k  ■  r@$  \  Pi®  P2 

$  : 

;  = 

s  1  ? 

N 

;  = 

s  =  P 

valid  contexts 

T  : 

;  = 

■  \T,x-.C 

linear  contexts 

: 

;  = 

■  A^,P 

stores 

S  : 

;  = 

■  ^,o-.C 

heaps 

H 

;  = 

.  H,o^C{f  =  k-o)@S 

k 

;  = 

full  pure  share  immutable  unique 

u  : 

;  = 

—  \  k ■ t@s 

u  : 

;  = 

0  {t.f}  UiUU2 

2 


1.2  Judgment  Forms 


Judgment 

Judgment  form 

Description 

Top-Level 

Evaluation 

a-H-T^  a'-H'-r 

Under  transaction  state  a  and  heap 
H  the  thread-pool  T  evaluates  to  T' , 
which  may  modify  an  expression  and 
add  a  new  expression,  while  possibly 
modifying  the  heap  H'  and  changing 
the  transaction  state  a' . 

Expr.  Evalua¬ 
tion 

a-H-  {e,Sp)^a';H';{e',S;);T 

In  heap  H,  with  transaction  state  a  and 
stack  permissions  Sp,  the  expression  e 
takes  a  step  to  e',  potentially  modify¬ 
ing  each  and  potentially  adding  a  new 
thread. 

Expression 

typing 

T]!]-,  A]  S]  u  \-  e  :  E  \  u!\u' 

In  variable  context  T,  store  S,  linear 
context  A,  transaction  effect  £,  and 
unpacking  flag  u,  expression  e  has  type 
E  and  may  assign  to  fields  in  u  and 
and  changes  unpacking  to  uk 

Store  typing 
(definition 

1.5.1) 

In  store  context  S  with  lists  of  linear 
contexts  A^  and  packing  flags  u^,  each 
tagged  with  a  transaction  effect,  the 
heap  El  and  the  list  of  all  stack  permis¬ 
sions  Sp  is  well-typed. 

Einear  logic 
entailment 
(figure  6) 

r;S;  A  h  P 

In  variable  context  T  and  store  S,  lin¬ 
ear  context  A  proves  P. 

Runtime  prop¬ 
erty  check 

(definition 

1.5.2) 

H;Sp\k-oh  P 

Heap  H  with  stack  permissions  Sp  re- 
stricted  to  stack  permissions  k  ■  o  sat¬ 
isfies  property  P. 

r;S;Ah^P 


S  =  ot|emp  r;S;  A  h  P 

k  ■  o@s  ^  A,  P  where  k  =  pure|share  T;  S;  A  h  P 
r;S;Ah^P  r;S;AhwtP 

Figure  1:  Transaction-aware  linear  judgement 


1.3  Thread  Pool  and  Expression  Typing 
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k  ■  o@s  ^  A 


_  k  ■  o@g  ^  P  k  ■  o@g  ^  A 

k  ■  o@s  ^  ■  k  ■  o@s  ^  A,  P 


k  ■  o@s  ^  P 


{k  7^  k'\o  7^  o'|s  7^  s') 
k  ■  o@s  ^  k  ■  o@?  k  ■  o@s  ^  k'  ■  o'@s' 


a;  (A^,  ok 


not-wt((A^,M^) J  not-wt((A^,M^)2)  not-wt((A^,M^)) 
•;  ((A^,  w™*),  (A^,  m^)2)  ok  o;  (A^,  u^)  ok 


Figure  2:  Well-formedness  of  all  linear  contexts. 


not-wt((A^,M^)) 


not-wt((A^,M^))  not-wt((A^,M^)) 
not-wt(-)  not-wt((A^,M^),  (A^,m^)) 


not-wt((A^',M^')) 


not-wt(A^)  where  S  =  share|pure 

not-wt((A^,M^)) 


not-wt(A^’) 


k  ■  o@s  ^  A^  where  k  =  share|pure 
not-wt(A^) 


4 


not-active(e) 


mbody(C,  m)  =  x.em 
not-active(em) 


not-active(A;  ■  t.f) 


not-active(new  C{k  ■  t)) 

not-active(ei)  not-active(e2) 
not-active(iet  x  =  ei±n  62) 

not-active(e) 

not-active(pack£- 1  to  s  in  e) 


not-active(A;  ■  t) 

not-active(ti./  :=  k  ■  12) 

not-active(/c  ■  t.mikTt)) 
not-active(e) 

not-active(unpack£-A;  ■  t@s  in  e) 

not-active(e) 

not-active(atomic  (e)) 


Figure  3:  Expressions  with  no  active  subexpressions. 


active  (e) 


active(ei)  not-active(e2) 

active(inatomic  (e))  active(let  a;  =  Cl  in  62) 

Figure  4:  Expressions  with  an  active  subexpression. 


forget(P)  =  P' 


k  =  immutable|unique|full  k  =  pure|share 

forget(A;  ■  o@s)  =  k  ■  o@s  forget(/c  ■  o@s)  =  k  ■  o@? 

forget  (Pi)  =  P[  forget  (P2)  =  P2 
forget  (Pi  ®  P2)  =  P[®  P2 

Figure  5:  The  forget  judgement. 
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forget£-(P)  =  P' 


£  =  \N\  7^  Wt  forget (P)  =  P' 

forget£-(P)  =  P  forget£-(P)  =  P' 


writes(A;) 


writes(unique)  writes(full)  writes(share) 


readonly(A;) 


readonly(pure)  readonly(immutable) 


S<S' 


S<S  S<1 


unpacked(s)  <  s  s  <  unpacked(s) 


k<k' 


k  ■  ^  k'  ■  o@s  k  ■  o@s  ^  k'  ■  o@s  ®  k”  ■  o@s 

k<k'  k<k' 
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r;P  h  P 

r;AihPi  r;A2hP2 
T;  (Ai,  A2)  h  Pi®  P2 

r-  h  1 

r;AhPi  r;AhP2 
r;AhPi&P2 


T;  A  h  P'  P'  ^  P 
LinHYP  - — f; -  SUBST 


®I 


T;  A  h  T 

r;AhPi 
r;  A  h  Pi  ©  P2 

r;AhP2 
T;  A  h  Pi  ©  P2 


TJ 


®h 

®Ir 


no  0  introduction 

iT,z:H);A^P 

T;A^Wz:H.P 

Thh:H  T;Ah[h/z]P 
r;  A  h  3;^  :  H.P 


3/ 


T;  A  h  P 
r;AhPi©P2  r;(A',Pi,P2)  hP 


r;(A,A')hP 

r;Ahl  r;A'hP 
r;  (A,A')hP 

r;  A  h  Pi  &  P2 


®E 


IE 


r;AhPi 

r;AhPi&P2 

r:A  h  Po 


^El 

^Er 


no  T  elimination 

r;(A',Pi)hP 
T;  A  h  Pi  ©  P2  T;  (A',  P2)  h  P 
r;(A,A')hP 


©P 


r;A  hO 


OP 


VP 


r;  (A,A')hP 

r  h  /i  ;  P  T;  A  h  V;^  :  H.P 
r;A  h  [h/z]P 

T;Ah3z:H.P  {T,z  :  H),{A',P)  h  P' 
r;(A,  A')  h  P' 


Figure  6:  Linear  logic  for  permission  reasoning 


h  a;P;T 


■;S;A^;MhP;;^  S;A^;MhT 
COrrect-atomic(a,  T)  where  T  =  (e,  Sp, ) 
h  a;P;T 

Figure  7 :  Top-level  typing  rules 


3P 
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S;  A;  M  h  T 


S;  Af ;  Mi  h  Ci  :  i?i  \  ci;|m 


S;Af, 


An,U2,...,Ur. 


h  T 


S;  Af ,  Af , . . . ,  A^;  Ml,  M2,  •  •  • ,  Mn  ^  (e,  5p)i,  T 


Figure  8:  Well-typed  thread-pool 


(o  :  C)  e  S  ■;S;A  P 

- ^ ^ - T-T  nr 

■;  S;  A;  M  h  A;  ■  o  :  3a;  :  C.[x/o]P  \  0|m 


readonly(A;„)  implies  readonly(A;)  ■;  S;  A  h^-  P  localFields(C)  =  f  :  C 
■■,T.-,A-,S]ku  ■  o@Su  F  k  ■  o.fi  :  3a;  :  Ti.[a;//i]P  \  0|A;„  ■ 


T-Read 


localFields(C")  =  f  :  C  (o' :  C")  e  S  writes(P) 
■;  S;  A  A;  ■  o  :  3a;  :  Q.P  ■;  S;  A'  [o'./,/P]P' 


■;  S;  A,  A';  S;  k'  ■  o'@s'  h  o'./'  :=  A;  ■  o  :  3P  :  ^.P'  ®  [o'./i/a;]P  \  {o,./}|P  ■  o'<i 


-  T-Assign 


■;S;Ahg  [d//]P  oiCCS  init(C')  =  (3/ :  C-P,  g) 
■;  S;  A;  M  h  new  C(A;  ■  o)  :  3a;  ;  C.unique  ■  x@s  \  0|m 


T-New 


forget£-(A;  ■  o@s)  =  k  ■  o@$ 

k  =  immutable  |  pure  implies  s  =  s'  ■;  S;  A',  k  ■  o@$;  -  h  e'  :  P  \  0|- 

localFields(C)  =  /  :  C  (o  :  C)  e  S  ■;  S;  A  [o/this\\Wc{s,  k) 

No  temporary  permissions  for  o.f  in  A' 

■;  S;  (A,  A');S;  k  ■  o@s  h  pack  o  to  s'  in  e'  :  P  \  {o/}|  — 


T-Pack 


A;  =  unique  I  full  I  immutable  (o  :  P)  e  S  ■;  S;  A  A;  ■  o@s 
£  =  emp|ot  sS;  A',  [o/t/zA]inVc;(s,  A;);£^;  A;  ■  o@s  h  e'  :  P  \  co|- 
■;  S;  (A,  A');  —  h  unpack^-  k  ■  o@s  in  e'  :  P  \  0|  — 


T-Unpack 


(o  :  P)  G  S  ■;  ^  Fwt  k  ■  o@s 

■;  S;  A',  [o/this\\Wc{s,  A;);  Wt;  k  ■  o@s  h  e'  :  P  \  a;|  — 

■;  S;  (A,  A');  wt;  —  h  unpack^!  k  ■  o@s  in  e'  :  P  \  0|  — 


T-Unpack-Wt 
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(o  :  C)  e  S  o:CCE 

■;S;  A  \-£  [o/this][o/ f]P  mtype(C, m)  =  Vx  :  C.P  —o  3a;  :  C.Pr 

forqets{Pr)  =  P^ 

■;  S;  A;  —  h  /c  ■  o.m{k  ■  o)  :  3a;  :  C.P^  \  0|  — 


T-Call 


o:  C  eT,  o  :  C  e  S  mtype(C,  m)  =  'ix  :  C.P  ^  E 
■;S;  A°*  hot  [o/this\\d/J]P 

•;  S;  A;  Ot;  —  h  spawn  {k  ■  o.m{k  ■  o))  :  3_  :  immutable  ■  Od@Sd  \  0|- 


T- Spawn 


S;A2,Ph^  P' 

■;  S;  Ai;  M  h  Cl  :  3x  :  T.P  \  Ui\u2  a;  :  C;  S;  P'; M2  h  62  :  Pa;2|M' 
No  permissions  for  oji  in  A2 

■;  S;  (Ai,  A2);  u  h  let  a;  =  ei  in  62  :  P  \  cui  U  a;2|M' 


T-Let 


■;  S;  A;  wt;  m  h  e  :  3a;  :  C.P  \  uj\u'  f  orget£-(P)  =  P' 
■;  S;  A;  M  h  inatomic  (e)  :  3a;  :  C.P'  \  ui\u' 


T- In  ATOMIC 


■;  S;  A;  Wt;  w  h  e  :  3a;  :  C.P  \  uj\u'  f  orget£-(P)  =  P' 
■;  S;  A;  M  h  atomic  (e)  :  3a;  :  C.P'  \  uj\u' 


T- Atomic 
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1.4  Dynamic  Semantics 


a-H-T  ^  a'-  H'- T' 


a;  if;  e 


a;  if;  T^,  e,  Tf,  ^  a';  if';  T^,  e',  T;,,  T' 


Figure  9:  Top-level  Dynamic  Semantics 
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k  =  pure  I  immutable  o  ^  C{. . . ,  fi  =  k'  ■  o')@unpacked(s")  g  H 

a]H]  {k  ■  o.fi,Sp)  a-,H[o  ^  C{. . . ,  fi  =  {k'  -  k)  ■  o)];  {k  ■  o',  {Sp  +  k  ■  o'));  ■ 


E-Read-R 


k  <k'  o  ^  C{. . . ,  fi  =  k'  ■  o') @un packed (/c")  e  H 
{k  ■  o.fi,Sp) 

a;  H[o  ^C{...,fi  =  {k'  -  k)  ■  o')@unpacked(A;")];  {k  ■  o',  {Sp  +  k-  o'));  ■ 

/ci  ■  oi  e  S'p  oi  C(. . .  ,f  =  k'  ■  o',. .  .)@unpacked(/c")  g  H 
k2-02e  Sp  02  ^  C{. .  .)@^2  e  H 

H'  =  H[oi  =  k-02,..  .)@unpacked(A;")]  S';  =  Sp[{k2  -  k)  ■  02],  A;'  ■  o' 

a;  H]  {oi.f  :=  k  ■  02,  Sp)  a;  H'-,  {k'  ■  o'.  S')- 


E-Read-RW 


E-Assign 


H;  Sp  h  [o/f]P  init(C')  =  (3/  :  C.P,  s)  S'  =  Sp  -  k  ■  o  o^i  6om{H) 


i;  H;  (new  C{k  ■  o),  Sp)  a;  H ,  On  C {f  =  k  ■  o)@s;  (unique  ■  On,  {S' ,  unique  ■  o„)); 


E-New 


S  =  ot  I  emp  k'  ■  o  e  Sp  readonly(A;)  o^  C{..  .)@S  e  H  k  <k' 

k  =  immutable  d  S'  =  (unpacked(s)|s),  k  =  pure  d  S  =  s 

a;  H;  (unpack^-  k  ■  o@S  in  e',  Sp)  — > 
a;  H[o  C{. .  .)@unpacked(s)];  (e',  Sp[{k'  -  k)  ■  o]);  ■ 

k'  ■  o  e  Sp  readonly(/c)  o^^  C{..  .)@S  e  H  k  <k' 

k  =  immutable  d  S'  =  (unpacked(s)|s),  k  =  pure  d  S  =  s 


E-Unpack-R 


o;  H]  (unpack,„t  ^  ‘  in  e' ,  Sp) 
o;  H[o  ^  C{. .  .)@unpacked(s)];  (e',  Sp[{k'  -  k)  ■  o]); 


E-Unpack-R-Wt 


S  =  ot  I  emp  k'  ■  o  e  Sp  m\{es{k)  o^  C{. .  .)@s  e  H  k  <k' 

a;  H]  (unpack^-  k  ■  o@s  in  e',  Sp)  — > 
a;  H[o  C{. .  .)@unpacked(A;)];  (e',  S'p[(A;'  -  A;)  ■  o]);  ■ 


E-Unpack-RW 


k'  ■  o  e  Sp  writes(A;)  o^  C{..  .)@s  e  H  k  <  k' 

o;  H]  (unpack,„t  ^  in  e' ,  Sp) 
o;  H[o  C{. .  .)@unpacked(A;)];  (e',  S'p[(A;'  -  k)  ■  o]);  ■ 

invc(<s)  satisfied  by  o's  fields 
ko-o  e  Sp  o  C{f  =  k  ■  o)@unpacked(s)  g  H 


E- Unpac  K- RW- Wt 


a;  H;  (pack  o  to  s'  in  e',  Sp)  a;  H[o  h- >  C{f  =  k  ■  o)@s];  (e',  Sp) 

inV(7(s)  satisfied  by  o's  fields 
ko  -  o  e  Sp  o  C{f  =  k  ■  o)@unpacked(A;)  g  H 


E-Pack-R 


a;  H]  (pack  o  to  s  in  e' ,  Sp)  a;  Pl[o  C{f  =  k  ■  o)@s];  (e',  S'p[(A;  +  ko)  ■  o]) 


E-Pack-RW 
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mbody(C,  m)  =  x.e^  mtype(C,  m)  ='ix  ■.  C.P  -<>  E 
H]  Sp\k  ■  o,  k  ■  o  \-  [o/this][o/x]P 

a;  H]  {k  ■  o.m{k  ■  o),  Sp)  a;  H]  {[o / this\\d /x]em,  Sp)]  ■ 


E-Call 


mbody(C,  m)  =  x.e^  mtype(C,  m)  ='ix  ■.  C.P  ^  E 
H]  S'pjI/c  ■  o,k  ■  o\-  [o  /  this\\d /x]P 

o;  H]  (spawn  {k  ■  o.m{k  ■  o)),  (5'pi,  S'pJ)  ^  o;  H]  {od,  Sp^)]  {[o/this][o/^em,  Sp^) 


a;  H]  (let  x 


a-H-  {e,,Sp)^a'-H';{e[,S'p)-T _ 

ei  in  62,  Sp)  a';  if';  (let  x  =  e'^  in  62,  Sp);  T 


E-Let-E 


k'-oeSp  o^C{..  .)@S  eH  k<k' 
a;  H;  (let  a;  =  i  ■  o  in  62,  Sp)  a;  H;  ([o/a;]e2,  Sp);  ■ 


E-Eet-V 


o;  H;  (atomic  (e),  Sp)  •;  H;  (inatomic  (e),  Sp);  ■ 


E-Atomic-Begin 


•  ;  H;  (inatomic  {k  ■  o),  Sp)  o;  H;  {k  ■  o,  Sp);  ■ 


E-Atomic-Exit 


a;H;{e,Sp)^a';H';{e',S');T 


►  ;  H;  (inatomic  (e),  Sp)  — >  •;  PS;  (inatomic  (e'),  *5'');  T 


E-Inatomic 


1.5  Preservation 

1.5.1  Definition  of  Store  Typing 

S  H;Yp 

The  above  judgement  is  true  if: 

L  S;A^ 

2.  E;^;~S^;^  S  H 


Spawn 
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S;  h  Sp 


S;Afh^pi 


pn 


S;Af,Af,...,A^h^pi,^,2,...,^pn 

S;  A^'  h  ^ 


S;-h- 


{o\k  ■  o@$  G  A}  C  {o\k  ■  o  E  ^p}  V/c  ■  o  G  ■;  S;  A  h  /c'  ■  o@$  ®  T  D  k'  <  k 

S;  A^  h  ^p 

Where  the  above  rule  ignores  permissions  on  fields. 


j:-A^;Sp-,u^  h  H 

The  above  judgement  is  true  if: 

1.  dom(S)  =  dom(i^^) 

2.  a;  (A^,  u^)  ok 

3.  e  ,u^  =  k  ■  o@s  D  S  =  wt|/c  =  immutable|unique|full  and  o  ^  C{. .  .)@S  e  H, 
where  S  =  unpacked(s)  if  readonly(/c)  or  S'  =  unpacked(/c)  if  writes(/c).  Also,  o  ^uE) 
o  is  paeked  in  H  and  invc(o,  unique). 

4.  Vo  G  dom(S),  VA  G  A  :  if  o  ^  C{f  =  k  ■  o)@S  E  H  then 

(a)  (o  :  (V)  G  S 

(b)  Either  S  =  unpacked(/c)  or  S'  =  unpacked(s)  and  [o/t/zA]invc-(s,  immutable)  is 
satisfied  by  o’s  fields,  or  S'  =  s  and  [o/tfiA]invc(s,  unique)  is  satisfied  by  o’s  fields. 

(e)  If  ■;  S;  A  h  /c  ■  o@$  ®  T  then  S'  <  $. 

(d)  If  ■;  S;  A  h  /c-  ■  o./j@$  ®  T,  then  /c'  <  ki  (and  o  =  Ounp)  and  Oj  i— >•  Co{.  ■  .)@So  E  H 

and  either  S  =  unpacked(s),  whieh  implies  readonly(A;'),  or  S'  =  unpacked  (A;').  If 
S  =  unpacked(s)  then  $  =  So  or  $  =?. 

(e)  unique  ■  o@s  E  A,u  E  k  ■  o@$  not  in  any  other  A  or  m  in  A  or  u.  Also,  full  ■  o@s  G 
A,u  E  full  ■  o@$  and  k  ■  o@s  not  in  any  other  A  or  m  in  A  or  u. 

(f)  immutable  ■  o@s  e  A,ue  {k  ■  o@$  EA,uEk  =  immutable&($  =  s|$  =?)) 

(g)  Where  ki  =  unique  implies  k  ■  Oi  ^  A,u,  where  ki  =  full  implies  full  ■  Oj@$  and 

k  ■  Oi@s  ^  A, u  and  where  ki  =  immutable  and  o  i— >  C{...)@S,  where  S'  = 
s|unpacked(s)  implies  k'  ■  Oi@s'  ^  A,u,  where  k'  7^  immutable|s'  ^  s. 
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1.5.2  Property  Satisfied  at  Runtime 

If 

•  o  H- >•  C(. .  .)@s  C  H  and  k'  ■  o  E  Sp 

•  'lo  :  C\k  ■  o@s  h  P  (an  instance  of  r|S|  A  h  P) 

•  k  <  k' 

then  P[]  Sp\k  ■  o\-  P 

1.5.3  Lemma:  Compositionality 

If  S;  A^;  h  H;  Sp  and  Aj  =  Aji,  Aj2  then  S;  A^';  h  PI]Sp  where  Aj  is  replaced  with  Aji 
and  and  S;  \-  H;Sp  where  Aj  is  replaeed  with  Aj2. 

Proof:  Immediate  from  the  definition  of  store  typing.  We  are  always  allowed  to  know  less  statieally 
about  permissions  than  what  is  true  at  run-time,  so  long  as  what  we  know  statieally  is  eonsistent 
with  the  run-time  information. 

1.5.4  Lemma:  Packing  Flag 

If  F;  S;  A;  M  he  :  E  \uj\u'  then  either  (a)  u  =  —  and  cc  =  0  or  (b)  m  =  /c  ■  t@s  and  u  eontains 
only  fields  of  t. 

Proof:(a)  m  =  —  is  not  a  valid  preeondition  for  produeing  effeets  (using  assignment  or  paeking). 
(b)  By  induetion  on  typing  derivations,  using  (a).  Only  one  objeet  ean  be  unpaeked  at  a  time, 
permission  for  unpaeked  objeet  is  needed  for  assignments  and  paeking,  and  effeet  of  unpack 
expression  is  0. 

1.5.5  Object  Weight 

•  w{o,  A)  =  ignoring  fields. 

•  w{o,u)  =  k,\iu  =  k  ■  o@s,  and  0  otherwise. 

•  w(^o,  Sp')  Sjj^.Q(ig^k 

Where: 

k  +  k' 

is  defined  as: 

•  full  -f  pure  =  full 

•  share  +  pure  =  share,  share  -f  share  =  share 

•  immutable  -f  immutable  =  immutable 

•  pure  -f  pure  =  pure 
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1.5.6  Preservation  for  Thread  Pools 


•  a-H-T  ^  a'-  H'- T' 

•  h  a;ff;T 
Then  there  exists 

•  S'  D  S 

•  A^' 

• 

•  oj' 
such  that 

•  S';A';Ot;M'  h?: 

•  S';  ;u^  h  H';  Sp,  where  T'  =  <  e',  Sp  > 

•  correct-atomic(a’,T’) 

•  Vo  G  dom(iV)  ;  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  Sp)  —  w{o,  A')  —  w{o,  u'),  for  each 
A  in  A,  Sp  in  Sp,  A  in  A\  and  Sp  in  Sp 


Proof:  By  structural  induction  on  the  derivation  of  a;  TT;  T  a' ]  H' ]  T' . 

Case  Top-Level 


\-  a;  H;T  Assumption 

a-,H-,e^  a';iJ';e';T'  where  T^l  |e|  |Tf, 


Inversion  of  only  eval  rule. 

■;S_^;m  h 
S;  A^;m  h  T 

COrrect-atomic(a,  T)  where  T  =  (e,  Sp, ) 

Inversion  of  only  typing  rule.  ■;  S;  A;  Ot;  m  h  e  :  E\uj\u” 

From  well-typed  thread  pool. 


Invoke  preservation  for  single  threads. 
S',A^',  u^' ,  uj',  a',  s.t. 

■;S';  A';Ot;M'  h  e'  :E\uj'\u” 

IfT  ^  ■: 


Single-threaded  lemma. 
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Vo  G  dom(iV)  :  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  Sp)  —  w{o,  A') 
for  each  A  in  A,  Sp  in  Sp,  A  in  A  ,  and  Sp  in  Sp 

not-active(T')  by  single-threaded  lemma. 


Single-threaded  lemma. 
Single-threaded  lemma. 

w{o,  u'). 

Single-threaded  lemma. 


If  a  =  o  implies  not-active(T).  If  a'  =  •,  then  by  single-threaded  lemma  active(e').  If  a'  =  o  the 
by  single-threaded  lemma  not-active(e').  Thus,  COrrect-atomic(a',  T'). 

If  a  =  •  and  active(e)  implies  not-active(Ta|  jT;,).  If  a'  =  •  then  by  single-threaded  lemma 
active(e').  If  a'  =  O  then  by  the  single-threaded  lemma  not-active(e')  Thus,  COrrect-atomic(a',  T') 
If  a  =  •  and  not-active(e)  implies  active(Ta)  or  active(Tfe).  Only  one  may  be  active  but  neither 
will  change  during  e’s  step,  so  a!  =  •.  Single-threaded  lemma  gives  us  not-active(e')  Thus, 
correct-atomic(a',  T). 


1.5.7  Preservation  for  Single  Threads 

If 


•  Tj]  A]S-,u\-  e  ■.  E\  oj\u'' 

•  S;  A^;  uS  S  H]  Sp,  where  A^  =  (Ai,  A^)^,  (A2,  A^)^, . . .  (A„,  A*)^,  where  A*  contains 
extra  permissions  that  contain  no  temporary  state  information  and  no  permissions  for  fields 
in  u. 

.  a;B;(e,Sp}^a';II';(e',Sp;T 

•  And  exactly  one  of  the  following: 

-  a  =  o  and  not-active(e) 

-  a  =  •  and  not-active(e) 

-  a  =  •  and  active (e) 

Then  there  exists 

•  S'  D  S 

•  m'  tagged  with  S,  written  u^' . 

•  uj' ,  where  either  (a)  a;  iJ;  (e,  S^  a';  iJ';  (e',  Sp);T  unpacks  an  object  o,  i.e.,  =  —  and 

u^'  =  k  ■  o@s  and  uj'  —  uj  only  mentions  fields  of  o,  or  (b)  oj'  C  uj. 
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•  A'  tagged  with  S,  written 

•  Spt,  Af  and  wf . 
such  that 

•  T  is  either  et  or  ■ 

•  ■;S';A';^;m'  he'  ■.  E\uj'\u'' 

•  S;  A^;  h  H;Sp,  where  A^  and  sj  are  A  and  Sp  with  (A',  A*)  swapped  for  (A,  A*)  and 
Sp  swapped  for  Sp  (and  including  Spt  and  At  if  T  =  et). 

•  Vo  G  dom(if)  ;  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  Sp)  —  w{o,  A')  —  w{o,  u'),  for  each 
A  in  A,  Sp  in  Sp,  A  in  A\  and  Sp  in  Sp 

•  If  T  is  et  then  ■;  E';  A^;  Ot;  —  h  et  :  \  c<;|  — 

•  As  well  as  all  of  the  following,  although  exactly  one  will  not  be  vaccuous: 

-  if  a  =  a'  and  not-active(e)  then  not-active(e') 

-  if  a  =  a'  and  active(e)  then  active(e') 

-  if  a  =  o  and  a'  =  •  and  not-active(e)  then  active(e') 

-  if  a  =  •  and  a'  =  o  and  active(e)  then  not-active(e') 

Proof:  By  structural  induction  on  the  derivation  of  a;  if;  (e,  Sp)  a';  if';  (e',  Sp)]  T. 

Case  E-Unpack-RW-Wt 

So  e  =  unpack^!  k  ■  o@s  in  e2,  e'  =  e2,  a  =  a'  =  o,  H'  =  H[o  h- >  C{. .  .)@unpacked(A;)], 
S';  =  Sp[{k'  -k)-o]  and  T  = 

■]T^]A]S]u\-e-.E\uj\u”  Assumption 

S;  A^;  \-  E[]  Sp  Assumption 

writes(A;)  o  C(. .  .)@-s  e  if  E  ■  o  e  Sp  k  <  E 

Inversion  of  only  eval  rule 

o  e  S  A^  =  A'"^  =  (Af ,  Af )  =  {k  ■  o@s,  A2) 

■;  S;  Ai  hwt  k  ■  o@s  u  =  u”  =  —  (0  =  0 

■;  S;  A2,  [o/tf  A]invc(s,  f);  wt;  k  ■  o@s  h  e2  :  i?  \  (02I—  Inversion  of  only  typing  rule 

Let  E'  =  E,  A™^'  =  A2,  [o/this\\'C\\lc{s,  k),  =  k  ■  o@s,  00'  =  002. 

■;  E';  A';  Wt;  m'  h  e'  :  i?  \  co'|—  Substitution 

Must  show  E;  A^;  \-  H;Sp 

E/.(Awf  Af;h  S; 

We  have  removed  k  ■  o  from  A  and  Sp,  and  added  field  perms  to  A  which  are  ignored. 

E']'NsWp 
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No  other  A  or  Sp  changed. 


Must  show  S';  A^'; 

1.)  ok 


p) 


w- 


^H' 


No  change  to  dom(S)  or  dom(iJ) 

2. )  ok  A™*'  and  were  and  remain  the  only  wt  elements. 

3. )  ok  For  m'"'',  £:  =  wt.  o  C{.  .  .)@unpacked(A;)  g  H'  and  writes(A;). 

4. a.)  ok  No  change 

4.b.)  ok  S  =  unpacked(A;) 

4.C.)  ok  No  new  stack  perms  in  A'. 

4.d.)  ok  4.b.  was  true  before  step.  Fields  added  to  A'  are  given  by  invc(s,  k). 

4.e.)  ok  4.g.  was  true  before  step.  Any  unique  or  full  fields  cannot  be  in  other  As  and  u. 

4.f.)  ok  4.g.  was  true  before  step.  Other  permissions  to  fields  must  agree  with  state. 

4.g.)  ok  No  fields  altered. 

o  was  unpacked.  u  =  —  and  u'  =  k  ■  o@s. 

oo'  —  00  =  oo'  only  contains  fields  of  o.  Packing  flag  lemma 

Vo  G  dom(iF)  ;  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  Sp)  —  w{o,  A')  —  w{o,  u') 

Net  is  unchanged.  Permission  moved  from  A  to  u' . 

T  =  ■ 

not-active(unpack)  implies  not-active(e2)  Inversion  of  not-active. 

active(unpack)  cannot  be  derrived. 

a  =  a'  and  not-active(e)  implies  not-active(e')  Above 


Case  E-Unpack-RW 

So  e  =  unpack^-  k  ■  o@s  in  62,  e'  =  62,  a  =  a',  H'  =  H[o  h- >  C{. .  .)@unpacked(A;)], 
5;  =  Sp[{k'  -k)-o]  and  T  =  -. 

■;T,;A;S;u\-e-.E\oo\u''  Assumption 

S;  A^;  \-  H;Sp  Assumption 

writes(A;)  C{. .  .)@s  e  H  k'  ■  o  e  Spk  <k'  S  =  ot|emp 


Inversion  of  only  eval  rule 


o  G  S  A^  —  (Ai,  A2) 

■;  S;  AiSg  k  ■  o@s  u  =  u"  =  —  cu  =  0 

k  =  unique|full|immutable  sS;  A2,  [o/this\\u\ic{s,k)-,£]k  ■  o@s  \-  62:  E  \cc;2|- 

Inversion  of  only  typing  rule 

Let  S'  =  S,  A^'  =  A2,  [o/this]\r\\/c{s,  k),  u^'  =  k  ■  o@s,  oo'  =  002. 

■;  S';  A']£]u'  S  e'  E\  oo'\—  Substitution 

Must  show  S;  A^;  S  E[]Sp 

We  have  removed  k  ■  o  from  A  and  Sp,  and  added  field  perms  to  A  which  are  ignored. 


S';  A'  h 


No  other  A  or  Sp  changed. 


Must  show  S';  A^';  Sp,  u^'  h  H' 

1.)  ok  No  change  to  dom(S)  or  dom(Ff) 
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2. )  ok  We  have  not  changed  the  number  of  wt  elements  from  before. 

If  ^  wt,  then  not-wt(A')  because  invariants  cannot  contain  pure  and  shared  information. 

3. )  ok  k  =  immutable|full|unique.  C{..  .)@unpacked(A;)  g  H'  and  writes(A;). 

4. a.)  ok  No  change 

4.b.)  ok  S  =  unpacked(A;) 

4.C.)  ok  No  new  stack  perms  in  A'. 

4.d.)  ok  4.b.  was  true  before  step.  Fields  added  to  A'  are  given  by  inV(7(s,  k). 

4.e.)  ok  4.g.  was  true  before  step.  Any  unique  or  full  fields  cannot  be  in  other  As  and  u. 

4.f.)  ok  4.g.  was  true  before  step.  Other  permissions  to  fields  must  agree  with  state. 

4.g.)  ok  No  fields  altered. 

o  was  unpacked.  u  =  —  and  u'  =  k  ■  o@s. 

uj'  —  LO  =  uj'  only  contains  fields  of  o.  packing  flag  lemma 

Vo  G  dom(iF)  ;  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  Sp)  —  w{o,  A')  —  w{o,  u') 

Net  is  unchanged.  Permission  moved  from  A  to  u' . 

T  =  ■ 

not-active(unpack)  implies  not-active(e2)  Inversion  of  not-active. 

active(unpack)  cannot  be  derrived. 

a  =  a'  and  not-active(e)  implies  not-active(e')  Above 


Case  E-Unpack-R 

So  e  =  unpack^-  k  ■  o@s  in  62,  e'  =  62,  a  =  a',  H'  =  H[o  1— >  C{. .  .)@unpacked(s)], 
S'^  =  Sp[{k'  -k)-o]  and  T  =  -. 


A]£]u\- e  ■.  E  \ui\u''  Assumption 

S;  A^;  \-  H]Sp  Assumption 

=  ot  I  emp  k'  ■  o  e  Sp  readonly(A;)  o  C(. .  .)@S'  e  H  k  <k' 

k  =  immutable  d  S'  =  (unpacked(s)|s),  k  =  pure  d  S  =  s 

Inversion  of  only  eval  rule 

■;  S;  (Ai,  A2);  S;  —  h  unpack^-  k  ■  o@s  ine2:E'\0|  — 

/c  =  unique  I  full  I  immutable  (o  :  C)  g  S  ■;  S;  Ai  /c  ■  o@s 
£  =  emp|ot  ■;  S;  A2,  [o/this\\Wc{s,  k)]£]k-  o@s  \-  62  :  E  \ui2\  — 


Inversion  of  only  typing  rule 

Let  S'  =  S,  A^'  =  A2,  [o/this]\r\\/c{s,  k),  u^'  =  k  ■  o@s,  u'  =  UI2. 

■;  S';  A';£-,u'  \-  e'  :  E  \  uj'\—  Substitution 

Must  show  S;  A^;  \-  H]Sp 

We  have  removed  k  ■  o  from  A  and  Sp,  and  added  field  perms  to  A  which  are  ignored. 


S';  A'  h  S' 


No  other  A  or  Sp  changed. 


Must  show  S';  A^';  S'p,  u^'  h  H' 

1. )  ok  No  change  to  dom(S)  or  dom(Ff) 

2. )  ok  We  have  not  changed  the  number  of  wt  elements  from  before. 
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If  S  ^  wt,  then  not-wt(A')  because  invariants  cannot  contain  pure  and  shared  information. 


k  =  immutable|full|unique.  o  C(. .  .)@unpacked(A;)  g  II'  and  writes(A;). 

No  change 

Before  step,  either  S  =  unpacked(s)  and  invariant  holds 
by  this  rule,  or  S'  =  s  and  invariant  held  by  this  rule. 

Fields  have  not  changed. 
No  new  stack  perms  in  A'. 
4.b.  was  true  before  step.  Fields  added  to  A'  are  given  by  invc(s,  k). 
4.g.  was  true  before  step.  Any  unique  or  full  fields  cannot  be  in  other  As  and  u. 
4.g.  was  true  before  step.  Other  permissions  to  fields  must  agree  with  state. 

No  fields  altered. 
u  =  —  and  u'  =  k  ■  o@s. 
oo'  —  00  =  oo'  only  contains  fields  of  o.  Packing  Flag  lemma 

A'  does  not  contain  any  fields  moo  —  oo'  oo  —  oo'  =  % 

Vo  G  dom(iF)  ;  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  S'p)  —  w{o,  A')  —  w{o,  u') 

Net  is  unchanged.  Permission  moved  from  A  to  u' . 

T  =  ■ 

not-active(unpack)  implies  not-active(e2) 
active(unpack)  cannot  be  derrived. 
a  =  a'  and  not-active(e)  implies  not-active(e') 


3. )  Ok 

4. a.)  ok 
4.b.)  ok 


4.C.)  ok 
4.d.)  ok 
4.e.)  ok 
4.f.)  ok 
4.g.)  ok 

o  was  unpacked. 


Inversion  of  not-active. 


Above 


Case  E-Unpack-R-Wt 

So  e  =  unpack^vt  k  ■  o@s  in  62,  e'  =  62,  a  =  a',  H'  =  H[o  1— >•  C{. .  .)@unpacked(s)], 
S''  =  Sp[{k'  -k)-o]  and  T  =  -. 


A]£]u\- e  ■.  E  \oo\u"  Assumption 

S;  A^;  \-  H]Sp  Assumption 

k'  ■  o  e  Sp  readonly(A;)  o  C(. .  .)@S'  e  H  k  <k' 

k  =  immutable  d  S'  =  (unpacked(s)|s),  k  =  pure  d  S  =  s 


Inversion  of  only  evaluation  rule. 


■;  S;  (Ai,  A2);  wt;  —  h  unpack^y^  k  ■  o@s  ine':E'\0|  — 

(o  :  C)  G  S  ■;  S;  Ai  hwt  k  ■  o@s  ■;  S;  A2,  [o/this\\'C\yc{s-,  /c);  wt;  k  ■  o@s  h  e'  :  i?  \  ci;2|  — 

Only  typing  rule  and  its  inversion. 

Let  S'  =  S,  A™^'  =  A2,  [o/this\\Wc{s,  k),  =  k  ■  o@s,  00'  =  002. 

•;  S';  A';  S;  u'  \-  e'  :  E  \  oo'\—  Substitution 

Must  show  S;  A^;  \-  H;Sp 

S';(A^*',A*);h  S'; 

We  have  removed  k  ■  o  from  A  and  Sp,  and  added  field  perms  to  A  which  are  ignored. 


S';  A'  h 


No  other  A  or  Sp  changed. 


Must  show  S';  A^';  Sp,  u^'  h  H' 

1.)  ok  No  change  to  dom(S)  or  dom(Ff) 
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2. )  ok 

3. )  ok 

4. a.)  ok 

4.b.)  ok 


Still  the  only  wt,  no  need  to  prove  not-active. 

S  =  wt. 
No  change 

Before  step,  either  S  =  unpacked(s)  and  invariant  holds 
by  this  rule,  or  S'  =  s  and  invariant  held  by  this  rule. 

Fields  have  not  changed. 
No  new  stack  perms  in  A'. 
4.b.  was  true  before  step.  Fields  added  to  A'  are  given  by  invc(s,  k). 
4.g.  was  true  before  step.  Any  unique  or  full  fields  cannot  be  in  other  As  and  u. 
4.g.  was  true  before  step.  Other  permissions  to  fields  must  agree  with  state. 

No  fields  altered. 
u  =  —  and  u'  =  k  ■  o@s. 


4.C.)  ok 
4.d.)  ok 
4.e.)  ok 
4.f.)  ok 
4.g.)  ok 

o  was  unpacked. 

oo'  —  00  =  oo'  only  contains  fields  of  o.  Packing  Flag  lemma 

A'  does  not  contain  any  fields  moo  —  oo'  oo  —  oo'  =  % 

Vo  G  dom(iF)  ;  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  S'p)  —  w{o,  A')  —  w{o,  u') 

Net  is  unchanged.  Permission  moved  from  A  to  u' . 

T  =  ■ 

not-active(unpack)  implies  not-active(e2)  Inversion  of  not-active. 

active(unpack)  cannot  be  derrived. 

a  =  a'  and  not-active(e)  implies  not-active(e')  Above 


Case  E-Pack-R 

So  e  =  pack  o  to  s  in  62,  e'  =  62,  a  =  a',  H'  =  H[o  1— >  C(. .  .)@s],  S'^  =  Sp[{k  +  ko)  ■  o] 

and  T  =  -. 

■;T^;A;S;u\-e-.E\oj\u"  Assumption 

S;  A^;  \-  H;  Sp  Assumption 

invc(s)  satisfied  by  o’s  fields 
ko  -  o  e  Sp  C{f  =  k  ■  o)@unpacked(s)  g  H 

Inversion  of  only  evaluation  rule 

o  G  S  A^  =  (Ai,  A2) 

S;Ai  \-£  [o/this]\n\/c{s,k) 

S;  k  ■  o@s  \-£  k  ■  o@$ 

■;S;A2,A;-o@$;^;-he2:.E\_{/.7}|- 

No  temporary  permissions  for  o.f  in  A2 

Inversion  of  only  typing  rule 

Let  S'  =  S,  D^'  =  A2,k-  o@$  u^'  =  -  co'  =  0 

■;  A';  m'  \-  e'  E  \  oo' \—  Substitution 

Must  show  S;  A^;  \-  H-,Sp 

E'i(A"',A-)ihS;  _  _ 

k  added  back  to  A,  S'p  S';  A'  h  S'p 

1.)  ok 
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No  other  A  or  S'p  changed. 
No  change  to  dom(S)  or  dom(Sf) 


2. )  ok  We  have  not  added  a  wt  that  was  not  previously  there. 

If  7^  wt,  not-wt(A^')  by  inversion  of  S;  A'  h^-  /c  ■  o@$. 

3. )  Ok 

We  have  only  removed  a  permission  from  .  This  o  is  packed  and  inV(7(o,  unique)  from  above. 

4. a.)  ok  No  change 

4.b.)  ok 

For  only  modified  o,  S  =  s  and  invariant  satisfied  from  assumption  and  4.d  being  true  before  step. 
4.C.)  ok  Only  one  new  permission  added  to  A,  and  S  =  s. 

4.d.)  ok  We  have  only  removed  fields  from  A. 

4.e.)  ok  True  before  step.  Can  be  no  other  full  or  uniques  to  u,  now  in  A'. 

4.f.)  ok  True  before  step,  u,  now  in  A,  must  be  consistent. 

4.g.)  ok  From  4.e.  and  4.f  before  step. 

u'  =  0  Cu 

Vo  G  dom(Tr)  :  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  S'^)  —  w{o,  A')  —  w{o,  u') 

Net  is  unchanged.  Permission  moved  from  m  to  A'. 

T  =  ■ 

not-active(pack)  implies  not-active(e2)  Inversion  of  not-active. 

active(pack)  cannot  be  derrived. 

a  =  a'  and  not-active(e)  implies  not-active(e')  Above 


Case  E-Pack-RW 

So  e  =  pack  o  to  s  in  62,  e'  =  62,  a  =  a',  H' 

and  T  =  -. 

■;S;A;£^;m  h  e  :  E  \ 

S;A^;)/  hiF;:Sp 

o  C(. .  .)@unpacked(A;)  e  H  ko  -  o  e  Sj 

o  G  S  A^  =  (Ai,  A2) 

S;Ai  \-£  [o/this]\n\/cis,k) 

S;  k  ■  o@s  \-g  k  ■  o@$ 

■;S;A2,A;-o@$;^;-he2:^\_{/.7}|- 
No  temporary  permissions  for  o.f  in  A2 

Let  S'  =  S,  D^'  =  A2,  A;  ■  o@$  u^'  = 

■]A'-S-u'he'^\u'\- 
Must  show  S;  A^;  'r  H]Sp 

_  _ 

k  added  back  to  A,  S),  S';  A'  h  S'^ 

Must  show  S';  A^';  Sp,  u^'  h  H' 

1. )  ok 

2. )  ok 


H[o^C{...)@s],S'p  =  Sp[{k  +  ko)-o] 

Assumption 
Assumption 

invc(s)  satisfied  by  o’s  fields 

Inversion  of  only  eval  rule 


Inversion  of  only  typing  rule 

cu'  =  0 

Substitution 


No  other  A  or  Sp  changed. 

No  change  to  dom(S)  or  dom(iT) 
We  have  not  added  a  wt  that  was  not  previously  there. 
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If  £  wt,  not-wt(A^')  by  inversion  of  S;  A'  h^;  k  ■  o@$. 


3. )  Ok 

We  have  only  removed  a  permission  from  u^.  This  o  is  packed  and  invc(o,  unique)  from  above. 

4. a.)  ok  No  change 

4.b.)  ok 

For  only  modified  o,  S  =  s  and  invariant  satisfied  from  assumption  and  4.d  being  true  before  step. 
4.C.)  ok  Only  one  new  permission  added  to  A,  and  S  =  s. 

4.d.)  ok  We  have  only  removed  fields  from  A. 

4.e.)  ok  True  before  step.  Can  be  no  other  full  or  uniques  to  u,  now  in  A'. 

4.f.)  ok  True  before  step,  u,  now  in  A,  must  be  consistent. 

4.g.)  ok  From  4.e.  and  4.f  before  step, 

a;'  =  0  C  a; 

Vo  G  dom(iF)  ;  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  Sp)  —  w{o,  A')  —  w{o,  u') 

Net  is  unchanged.  Permission  moved  from  m  to  A'. 

T  =  ■ 

not-active(pack)  implies  not-active(e2)  Inversion  of  not-active. 

active(pack)  cannot  be  derrived. 

a  =  a'  and  not-active(e)  implies  not-active(e')  Above 


Case  E- Assign 

So  e  =  oi-f  :=  k-02,  e'  =  /c'-o',  a  =  a! ,  H'  =  H[oi  h- >  C(. . . ,  /  =  k-02,  ■  ■  .)@unpacked(A;")], 
Sp  =  Sp[{k2  -  k)  ■  02],  /c'  ■  o'  and  T  =  -. 


■;S;A;£^;m  h  e  :  E  \ 

S;  A^;  h 

/ci  ■  Oi  G  Sp 

oi  ^  C{. . . ,  f  =  k'  ■  o' , . .  .)@unpacked(A;")  g  H 
/u2  ■  O2  G  Sp  O2  I — ^  C*(.  .  .)@>S'2  G  H 

A^  =  (Ai,A2)  U  =  {Oj.f} 

localFields(C")  =  f  :  C  (o' :  C)  e  E  wntes(k') 
■;  E;  Ai  l-£  k  ■  o  :  3x  :  Ci.P 
■;S;A2  [o'.f,/x']P' 


Assumption 

Assumption 


Inversion  of  only  eval  rule 


Inversion  of  only  typing  rule 

Let  E'  =  S,  A^'  =  [o'/x']P'  0  [oi.f/x]P  u^'  =  =  k'  ■  o'@s'  u'  =  (/} 

■;  E';  A';S;u'  \-  e'  :  E  \  u'\u"  By  rule  T-LOC.  Must  show  E;  A^;  \-  H;Sp 

A'  =  [oi.//o2]([o7oi./]A))  From  above. 

E';(A'"*',A7;h  S'; 

k'  ■  o'  went  into  both  A',  as  subst.  for  field  permission  and  S'p. 

Field  permissions  inserted,  which  are  ignored. 


E';  A'  h  S'p 


No  other  A  or  Sp  changed. 
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Must  show  S';  A^';  S^;  u^'  h  H' 

1. )  ok  No  change  to  dom(S)  or  dom(if) 

2. )  ok  We  have  not  changed  the  number  of  wt  elements  from  before. 

The  permissions  added  to  A'  were  cleansed,  by  the  inverse  of  transaction-aware  linear  judgment. 


unchanged. 
No  change 


3. )  Ok 

4. a.)  ok 
4.b.)  ok 
4.C.)  ok 
4.d.)  ok 
4.e.)  ok 
4.f.)  ok 
4.g.)  ok 

cu'  =D  cu  =  {oij}  Vo  G  dom(if)  ;  w{o,  Sp)  - 
T  =  ■ 

a!  =  a  and  only  not-active(e)  can  be  derrived. 
not-active(e') 


S  =  unpacked(/c) 
From  4.d.  true  before  step. 
From  4.C.  true  before  step. 
From  4.g.  true  before  step. 
From  4.g.  true  before  step. 
From  4.d,e,f.  true  before  step. 
tu(o,  A)  —  w{o^  u)  <  w{o,  Sp)  —  w{o,  A')  —  w{o,  u') 
k  ■  02  and  k'  ■  o'  move  between  field  and  stack. 

not-active  rules  for  field, 
not-active  rules  for  loc. 


Case  E-Call 

So  e  =  k  ■  o.m{k  ■  o),  e'  =  [o / this\\o / f]em,  H'  =  H',  Sp  =  Sp,  a'  =  a. 


■;S;A;£^;m  h  e  :  E  \ 

S;A^;^hiT;:^ 

mbody(C,  m)  =  x.em  mtype(C,  m)  =  'ix  :  C.P  E 
H]  Sp\k  ■  o,  k  ■  o  \-  [o/this][o/x]P 


■;T.;  A;  S;  —  \-  k  ■  o.m{k  ■  o)  :  3x  :  C.P^  \0|  — 

(o  :  C)  e  S  VTC  c  s 

■;  S;  A  [o/this]  [o/7]P  mtype(C',  m)  =  ^'xTC.P  ^  3a;  :  C.Pr 
torqets{Pr)  =  P^ 


Assumption 

Assumption 


Inversion  only  eval  rule 


Only  typing  rule  and  its  inversion. 

X  :  C,  this  :  C;  ■;  P;  wt;  —  h  Cm  :  3a;  :  C.Pr  \  0|  — 

X  :  C,  this  :  C;  ■;  P;  Ot;  —  h  :  3a;  :  C.P”  \  0|  — 

Inversion  of  M  ok 


S  =  VJ{  implies  P^  =  P^ 
wt  implies  P"  =  P^ 

■;  S';  A'-,S-,u'  h  [o/this][o/ f]em  '■  E  \  oli'\u” 


Inversion  of  forget 
Above  and  substituion. 


j:';A^';S'p;u^'  S  H' 

No  changes 
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Vo  G  dom(/7)  ;  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  S'^)  —  w{o,  A')  —  w{o,  u') 

No  changes 

a'  =  a  and  not-active(e)  Only  notactive  can  be  derrived  for  call. 

not-active(e')  Well  formed  method  body  cannot  be  active. 


Case  E- Spawn 


So  e  =  spawn  (k  ■  o.m{k  ■  o)),  H'  =  H' ,  Sp  =  Sp,Sp2  with  Spi,  immutable  ■  Od@Sd  replacing 


Sp. 


■;T.;  A;  S;u  h  e  :  E  \ 

S  H;S~p 

mbody(C,  m)  =  x.em  mtype(C,  m)  =  Vx  :  C.P  E 
H]  Sp^\k  ■  o,  k  ■  o  \-  [o/ this] [o/x]P 


Assumption 

Assumption 


Inversion  of  only  eval  rule 


E 


o:  C  eT.  o:  C  eT.  mtype(C,  m)  =  Vx  :  C.P 
■;S;  A°^  hot  [o/this][o/J]P 

Inversion  of  only  typing  rule 

Let  e'  =  immutable  ■Od,T  =  {[o/this][o/J]em,  Sp2),  S'  =  S,  A°*'  =  immutable  ■  Od@Sd, 

Af  =  A,  uf  =  -,  =  - 

•;  S';  At]  Ot;  —  h  e*  :  \  0|  — 

X  :  C,  this  :  C;-;P;0\.;—  h  :  E't  \  0|—  Inversion  of  mtype. 

■;  S';  A';  Ot;  -  h  immutable  ■  o^ :  3_ :  C^.lmmutable  ■  Od@Sd 

Always  true  of  Od,  which  is  implicitly  in  all  A. 

Must  show  S;  A^;  \-  H;Sp 

S';  (A°^',  A*);\-  Sp  Only  one  permission  in  A'  and  we  added  it  to  Sp. 

S';  Af ;  h  Sp2  From  above 

S';  A'  h  Sp  No  other  A  or  Sp  changed. 

Must  show  S';  A^';  Sp,  u^'  h  H' 

1. )  ok  No  change  to  dom(S)  or  dom(iJ) 

2. )  okNew  As  are  tagged  with  ot.  A'  on  has  immutable  objects  and  At  is  clean,  inverse  of  TALI. 

3. )  ok  New  MS  are  both  — . 

4. a.)  ok  No  change 

4.b.)  ok  No  states  or  fields  changed. 

4.C.)  ok  Nothing  new  in  As  w.r.t.  the  heap. 

4.d.)  ok  Nothing  new  in  As  w.r.t.  the  heap. 

4.e.)  ok  Nothing  new  in  As  w.r.t.  the  heap  or  u. 

4.f.)  ok  Special  default  object,  Od,  is  always  in  state  Sd. 

4.g.)  ok  No  fields  modified, 

cc'  c  cc  cc'  =  cc  =  0 

OJt  Poj  OJt  =  OJ  =  ^ 

A'  contains  no  permissions  for  fields  in  0 
At  contains  no  permissions  for  fields  in  0 
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Vo  G  dom(/7)  ;  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  S'^  U  Stp)  —  w{o,  A',  At)  —  w{o,  u',  Ut) 

Net  is  unchanged,  immutable  ■  Od@Sd  added  to  and  A' 
a'  =  a  and  not-active(e)  not-active  rule  for  Spawn. 

not-active(e')  not-active  rule  for  Od- 

not-active(et)  Property  of  well-typed  method  body. 


Case  E-Read-R 

So  e  =  k  ■  o.fi,  e'  =  k  ■  o' ,  T  =  ■,  a'  =  a,  H'  =  H[o  i— >  C{...,fi  =  {k'  —  k)  ■ 
o, . .  .)@unpacked(s")],  S'p  =  Sp,  {k  ■  o'). 


■■,T,;A-,S;u\-e:E\u\u"  Assumption 

S;  A^;  h  H;  Sp  Assumption 

k  =  pure  I  immutable  o  ^  C{. . . ,  j)  =  k'  ■  o')@unpacked(s")  g  H 

Inversion  of  only  eval  rule 

■;  T.;A;S;ku  ■  o@Su  V  k  ■  o.fi  :  3x  :  Ti.[x/fi]P  \  0|A;„  ■  o@Su  _ 

readonly(A;„)  implies  readonly(A;)  ■;  S;  A  P  localFields(C)  =  f  :  C 

Only  typing  rule  and  its  inversion 

Let  S'  =  S,  u^'  =  u^,  A^'  =  [o'/o.fi]P,  cu'  =  cu  =  0. 

■;E'-,A'-,S';u'  S  k-o'  :  E\u;'\u' 

Rule  T-Loc. 


Must  show  S;  A^;  \-  H;Sp 

S';  A'  h  S;  S';  A'  h  g; 

Must  show  S';  A^';  S'p]  u^'  h  H' 

1. )  ok 

2. )  ok 

3. )  ok 

4. a.)  ok 
4.b.)  ok 
4.C.)  ok 
4.d.)  ok 
4.e.)  ok 
4.f.)  ok 
4.g.)  ok 


A'  only  has  permissions  for  o',  this  object  was  added  to  Sp. 

No  other  A  or  Sp  changed. 

No  change  to  dom(S)  or  dom(P) 
We  have  not  added  a  wt  that  was  not  previously  there. 
If  7^  wt,  not-wt(A^')  by  inversion  of  S;  A'  \-£  k  ■  o@$. 

u'  has  not  changed. 
No  change 

By  inversion  of  —  on  permissions  and  invc(<s,  immutable) 
States  are  correct  by  invc7(s,  immutable)  of  o’s  fields. 
We  have  only  removed  field  permissions  from  A. 
There  can  be  no  full  or  unique  perm  in  P  after  downgrading. 

From  4.g.  true  before  step. 
True  by  inversion  of  subtraction  on  permissions. 


cu'  c  cu  cu'  =  cu  =  0 

A'  contains  no  permissions  for  fields  in  0 

Vo  G  dom(P)  ;  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  S'^f)  —  w{o,  A')  —  w{o,  u') 

Net  unchanged,  k  ■  o'  added  to  Sp  and  A. 


T  =  ■ 

a'  =  a  and  only  not-active(e)  can  be  derrived. 
Only  not-active(e')  can  be  derrived. 
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not-active  rule  for  field  reads, 
not-active  rule  for  location  reads. 


Case  E-Read-RW 

So  e  =  k  ■  o.fi,  e'  =  k  ■  o' ,  T  =  ■,  a'  =  a,  H'  =  H[o  i— >•  C{...,fi  =  {k'  —  k)  ■ 
o, . .  .)@unpacked(A;")],  S'p  =  Sp,  {k  ■  o'). 


■■,T,;A-,S;u\-e:E\uj\u"  Assumption 

S;  A^;  \-  H;Sp  Assumption 

k  <k'  o  ^  C{. . . ,  fi  =  k'  ■  o')@unpacked(A;")  e  H 

Inversion  of  only  eval  rule. 

■;S;Ah^P  localFields(C')  =  7TC 
■;  J:;A;S;ku-  o@Su  F  k  ■  o.fi  :  3a;  :  Ti.[x/fi]P  \  ^ku  ■ 

Inversion  of  only  typing  rule. 

Let  S'  =  S,  u^'  =  u^,  A^'  =  [o' /o.fi]P,  a;'  =  cu  =  0. 

■;j:';A';S';u'  ^  k-o'  :  E\uj'\u' 

Rule  T-Loc. 


Must  show  S;  A^;  \-  H;Sp 

S';  A'  h  S;  _ 

Must  show  S';  A^';  S'p]  u^'  h  H' 

1. )  ok 

2. )  ok 

3. )  ok 

4. a.)  ok 
4.b.)  ok 
4.0.)  ok 
4.d.)  ok 
4.e.)  ok 
4.f.)  ok 
4.g.)  ok 

u'  C  oj 


A'  only  has  permissions  for  o',  this  objeot  was  added  to  Sp. 

No  other  A  or  Sp  ohanged. 

No  ohange  to  dom(S)  or  dom(P) 
We  have  not  added  a  wt  that  was  not  previously  there. 
If  S  wt,  not-wt(A^')  by  inversion  of  S;  A'  k  ■  o@$. 

u'  has  not  ohanged. 

No  ehange 
S  =  unpacked(/c) 
4.d.)  was  true  before  step. 
We  have  only  removed  field  permissions  from  A. 

4.g.)  was  true  before  step. 
4.g.)  was  true  before  step. 
True  by  inversion  of  subtraotion  on  permissions. 

oa'  =  o;  =  0 


A'  eontains  no  permissions  for  fields  in  0 

Vo  G  dom(iV)  :  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  S'p)  —  w{o,  A')  —  w{o,  u') 

Net  unohanged.  k  ■  o'  added  to  Sp  and  A. 


T  =  • 


a'  =  a  and  only  not-active(e)  ean  be  derrived.  not-active  rule  for  field  reads. 

Only  not-active(e')  ean  be  derrived.  not-active  rule  for  loeation  reads. 


Case  E-Inatomic 

So  e  =  inatomic  (ei),  e'  =  inatomic  (e'^),  a'  =  a,  H'  =  H'  from  I.H.,  S'p  =  S'p  from 
I.H.,  uj'  =  uj'  from  I.H. 
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Assumption 

Assumption 


■;  S;  A;  M  h  e  :  i?  \  ui\u'' 

a-H-  (ei,^,)^a';ff';(e;,^;);T 

■;  S;  A;  M  h  inatomic  (ei)  :  3x  :  C.P'  \  ci;|m' 

■;  S;  A;  wt;  m  h  ei  :  3a;  :  C.P  \  u\u'  f  orget£-(P)  =  P' 

Apply  induction  hypothesis. 

S;A^;^hP;:^ 

Tok 
u'  ok 

a'  =  a  and  active(inatomic  (ci)) 

active(e') 


Inversion  of  only  eval  rule 


Inversion  of  only  typing  rule 

I.H. 

I.H. 

I.H. 

active  rule  for  inatomic  . 
active  rule  for  inatomic  . 


Case  E- Atomic-Exit 

So  e  =  inatomic  {k  ■  o),e'  =  k  ■  o,  =  Sp,  H'  =  P[,  a'  =  o. 


■;S;A;£^;m  h  e  :  E  \  ci;|m" 

S;A^;^hP;:Sp 

■■jT,;  A]  S;u  h  inatomic  (e)  :  3a;  :  C.P'  \  u\u" 

■;  S;  A;  Wt;  m  h  e  :  3a;  :  C.P  \  u\u"  f  orget£-(P)  =  P' 

Only  typing  rule  and  its  inverse.  Eet  S' 


Case:  S  =  v^t 


Assumption 

Assumption 


=  S,  P  =  cc 


Eet  A^*'  =  A, 

■;S';  A';Wt;M'  h  A;  ■  o  :  3A  :  C.P\uj\u" 

By  sustitution,  and  P’=P  when  =  wt 

Tag  for  u  and  A  did  not  change. 

(A^,M^)ok  Above 

Case:  S 

Eet  A^  =  P',  =  u. 

■;  S';  A';  P  h  A;  ■  o  :  3A  :  C.P'  \  u\u" 

Rules  T-Eoc 

A^  contains  no  share  or  pure  perms.  inv.  forget, 

contains  no  share  or  pure  permissions. 

Unpacking  share  or  pure  requires  £  =  \n{ 
(A^,M^)ck  Above 

Heap  cond  3  satisfied.  Above 


^■A^-u^hH-Sp 

Rest  of  heap  unchanged.  T  =  ■  a' =  o^*  =  a,  active(e) 
nct-active(e') 


Active  rule  for  inatomic 
Only  derivable  rule  for  A;  ■  o 
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Case  E- Atomic 

So  e  =  atomic  (ei),  e'  =  inatomic  (ei),  H'  =  H,  Sp  =  Sp,  a'  =  •,uj'  =  u. 


■■,T,;A-,S;u\-e:E\u\u''  Assumption 

S;  A^;  \-  H;Sp  Assumption 

■■jT,;  A]  S;u  h  atomic  (ei)  :  3x  :  C.P'  \  u\u'' 

■;  S;  A;  wt;  m  h  ei  :  3a;  :  C.P  \  uj\u"  f  orget£-(P)  =  P' 

only  typing  rule  and  its  inversion.  Let  S'  =  S,  m'  =  u.  A'  =  A,  u'  =  u. 
■;S';A';^  he'  :  3a;  :  C.P\uj'\u” 

By  rule  T-Inatomic.  Let  u'  and  A'  be  tagged  with  wt. 


(A^,  u^)  ok 
S;A^;^/  hP;:^ 

a'  =  o  ^  •  =  a.  Given  not-active(e). 
active(e') 


a  =  o  implies  no  m  or  A  tagged  with  wt  before  step. 

No  other  changes  to  heap, 
active  rule  for  inatomic  . 


Case  E-New 

So  e  =  new  C{k  ■  o),  e'  =  unique  ■  On,  H'  =  H,On  i— >  C{f  =  k  ■  o)@s,  Sp  =  {Sp  — 
k  ■  o),  unique  ■  o„,  a'  =  a. 


■;T,;A;S;u\-e-.E\u\u''  Assumption 

S;  A^;  \-  H;Sp  Assumption 

H;  Sp  h  [d/7]P  init(C)  =  (37TC.P,  s) 

Inversion  of  only  evaluation  rule 

■;  S;  A;  M  h  new  C{k  ■  o)  :  3x  :  C. unique  ■  x@s  \  0|m 
■;S;Ah^  [d/7]P  ^cs  init(C')  =  (37TC.P, s) 

Only  typing  rule  and  its  inversion. 

Let  S'  =  S,  o„  :  C,  u^'  =  u,  A^'  =  unique  ■  where  £  tag  is  the  same  as  before  step, 
cia'  =  a;  =  0. 


■;  S';  A';£]u'  h  unique  ■  o„  :  3a; :  C.unique  ■  x@s 


By  rule  T-Loc 


Must  show  S;  A^;  \-  H;Sp 

E';(A«',A*);hS'  _ 

We  removed  k  ■  o  from  both  Sp  and  A  and  added  unique  - to  both. 


S';  A'  h  S' 


No  other  A  or  Sp  changed. 


Must  show  S';  A^';  S'p^  u^'  h  El' 

1. )  ok  Added  On  to  both. 

2. )  ok  We  have  not  changed  £  tagging.  Only  new  permission  is  unique,  so  invariant  holds,  if  nec. 

3. )  ok  On  is  packed,  inv^-  holds  b/c  inverse  of  init  and  runtime  proof  of  P. 
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4.a.)  ok 
4.b.)  ok 
4.C.)  ok 
4.d.)  ok 
4.e.)  ok 
4.f.)  ok 


o  :  C  added  to  both. 
S  =  s  for  On  and  invariant  holds  from  above. 
We  know  On@s  in  A'  and  H'  b/c  we  added  them. 

No  fields  added  to  A. 
True  b/c  o„  ^  dom(S)  until  now. 

None  added. 


4.g.)  ok  Fields  were  all  in  A  before  step,  therefore  by  4.e  and  4.f  property  now  holds  for  fields. 
Vo  G  dom(iV)  :  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  Sp)  —  w{o,  A')  —  w{o,  u') 


T  =  ■ 

a'  =  a  and  only  not-active(e)  can  be  derrived. 
not-active(e') 


k  ■  o  removed  from  S'p  and  A'. 


inv  on  not-active  rule, 
not-active  rule  for  locations. 


Case  E-Let-E 

So  e  =  let  a;  =  Cl  in  62,  e'  =  let  x  =  e'^  in  e-2. 
■;S;A;£^;m  h  e  :  E  \ 

a-H-{e,,Sp)^a'-H'-  {e',,S'p)-T 

A^  =  (Ai,  A2)  ■;  S;  Ai;  S]u\-  ei  :  :  C.P  \  coi|m2 

S;A2,Ph^  P' 

a;  :  C;  S;  P';  M2  F  62  :  P  \  cc;2|m" 

S;  A^;  h  P;  S'p  where  A^  has  Ai  instead  of  A. 


Assumption 
Assumption 
Inversion  of  only  eval  rule 


Inversion  of  only  typing  rule 
Compositionality 


Apply  induction  hypothesis  where  (A2,  A*)  is  the  additional  linear  context. 

S';A';m'  hP';Si;' 

A  is  the  same  as  A  except  A  is  now  A'^,  A2,  A*. 

Gives  us  E'  3  S.  u^'  and  uj[ 

Either  (a)  u  =  —  and  u'  =  k  ■  o@s  and  uji-u[  only  contains  fields  of  o  or  (b)  uj'^  ^  uji. 
■;  S';  Ai;  S;  u'  h  e'^  :  3a;  :  C.P  \  u[\u2 

Vo  G  dom(P)  :  w{o,  Sp)  —  w{o,  A)  —  w{o,  u)  <  w{o,  Sp)  —  w{o,  A')  —  w{o,  u') 

Tok 


I.H. 

I.H. 

I.H. 

I.H. 


I.H.  Eractions  in  A2  unchanged. 

I.H. 


Subcase:  u  =  —  and  u'  =  k  ■  o@s  and  uj[  —  uji  only  contains  fields  of  o. 

A2,  A*  do  not  contain  permissions  for  fields  of  o. 

Definition  of  well-typed  store. 

A2,  A*  do  not  contain  permissions  for  fields  in  oj[  —  ui  contains  only  fields  of  o 
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By  rule  T-Let 


he'  :E\uj'\u'' 


Subcase:  u[  ^  ui 

A2,  A*  do  not  contain  permissions  for  fields  in 

■;S';A';^;m'  he'  :E\uj'\u'' 

If  a  =  a'  and  active(e),  then  active(ei),  not-active(e2) 

active(ei)  implies  active(e'i) 

active(e'i)  and  not-active(e2)  imply  active(e') 

If  a  =  a'  and  not-active(e)  then  not-active(ei)  and  not-active(e2) 
a  =  a'  and  not-active(ei)  implies  not-active(e'J 
not-active(e'i)  and  not-active(e2)  imply  not-active(e') 

If  a  =  o  and  a'  =  •,  then  not-active(ei)  and  active(e'i) 
a  =  o  implies  not-active(e) 
not-active(e)  imples  not-active(e2) 
active(e'J  and  not-active(e2)  imply  active(e') 

If  a  =  •  and  a'  =  o  then  active(ei)  and  not-active(ei) 
a  =  •  implies  either  active(e)  or  not-active(e) 

Given  active(ei),  not-active(e)  impossible 
active(e) 

active(e)  implies  not-active(e2) 

not-active(e'i)  and  not-active(e2  implies  not-active(e') 


uj[  5  OJi 


By  rule  T-Let 
Inversion  active 
Induction 
Active  rule,  Let 
Inversion  not-active(e) 
Induction 
Not-active  rule,  Let 
Induction 
Assumption 
Inversion,  not-active  Let 
Active  rule.  Let 
Induction 
Assumption 
Definition  of  active  for  Let 
Above 
Active  rule.  Let 
Not  active  rule.  Let. 


Case  E-Let-V 

So  e  =  let  X  =  k  ■  o  in  62,  e'  =  [o/x\e2,  H'  =  H,Sp  =  Sp,  a'  =  a. 

■;T,;A;S;u\-e-.E\u\u''  Assumption 

S;  A^;  \-  H;Sp  Assumption 

k'-oeSp  o^C{..  .)@S  eH  k<k' 

Inversion  of  only  eval  rule. 

■;  S;  (Ai,  A2);  u  h  let  a;  =  Ci  in  62  :  i?  \  Ci;i  U  a;2|'U^ 

S;A2,Ph^  P' 

■;  S;  Ai; M  h  Cl  :  3a;  :  T.P  \  a;i|M2  a;  :  C;  S; P']8]U2  h  62  :  Eu2\u’ 

No  permissions  for  effi  in  A2 

Only  typing  rule  and  its  inversion. 

Let  S'  =  S,  A^  =  P',  =  u,u'  =  00.  ■;  S';  \-  62  ■  E  \  uji\u2 

Substitution 


Must  show  S;  A^;  \-  H;Sp 

Vo  G  dom(P)  ;  w{o,  Sp)  -  w{o,  A) 
T  =  ■ 


No  change  at  all  except  forgetting  permissions  in  A. 

w{o,  u)  <  w{o,  Sp)  —  w{o,  A')  —  w{o,  u') 

No  changes 
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not-active(e) 

not-active(e2) 


No  active  rule  for  locations,  let  rule. 

notactive  Let  rule. 


1.6  Progress 

1.6.1  Top-Level  Progress 

If  h  a;  ;  T 

Then  there  exists  either: 

•  V  such  that  T  =<  T,  Sp  >,  or 

•  a';  H']  T'  such  that  a;H;T  ^  a';  Lf';  T' 

Proof:  By  structural  induction  on  the  derivation  of  h  a;  H;T 
Case  T-Top-Level 

Asssumed 
Inversion  of  above 

Inversion  of  correct- atomic 


Single-threaded  lemma 
rule  E-Thread-Pool 


Inversion  of  correct- atomic 
Single-threaded  lemma 
rule  E-Thread-Pool 


^  a;  H;T 

correct-atomic(a,T) 

Subcase:  a  =  o 

Every  e*  in  {ole,  Sp)  is  not-active(ei). 
Subcase:  Every  e  in  e  is  a  value 
Proof  satisfied 

Subcase:  3ej  in  e  s.t.  e*  not  a  value 
Cj  must  take  a  step 
Global  thread  pool  steps 
Subcase:  a  =  • 

There  is  a  e*  in  e  such  that  active(ei). 

Cj  must  take  a  step 
Global  thread  pool  steps 


1.6.2  Thread-Level  Progress 

If 


•  J:-A^-,u^SH-Sp 

Then  the  following  three  items  must  hold  true: 

1.  If  ■;T.;  A;  S;  u  \-  e  E  \  u\u  and  active(e),  then  3e',  a',  H' ,  T,  Sp  such  that  •;  if;  (e,  Sp) 
a';  H']  (e',  S'p)]  T,  where  A  and  Sp  come  from  A  and  Sp  respectively  and  are  associated. 


2.  If  ■;  S;  A;  M  h  e  :  i?  \  uj\u,  and  not-active(e),  then  e  is  a  value,  or  3e',  a',  H' ,  T,  Sp  such 
that  o;  H;  (e,  Sp)  a'; H';  (e',  Sp);T,  where  A  and  Sp  come  from  A  and  Sp  respectively 
and  are  associated. 

Proof:  By  structural  induction  on  the  derivation  ofr;S;A;£^;M  h  e  :  E  \  a;|M" 

Case  T-Loc  k  ■  ois  already  a  value. 

Case  T-Call 

So  e  =  k  ■  o.m{k  ■  o). 

S  H-^p 

■;  S;  A;  —  h  /c  ■  o.m{k-)  :  3x  :  C.P).\  — 

(o  :  C)  e  S  ^TC  C  S 

■;S;A  \-£  [o/this][o/ f]P  mtype(C, m)  =  Vx  :  C.P 
forget^iPr)  =  P^ 

Inversion  of  typing  rule.  o,o  E  dom(if) 

0,0  E  dom(S'p) 

{k'  ■  o,k  ■  o}  ^  Sp 
k  <  k',k  <  k' 

H,  Sp\k  ■  o,k  ■  o\-  [o/this][o/  f]P 

a-H-  {e,Sp)^a'-H'-{e',S'p)-T' 

not-active(e) 

Rule  works  for  a  =  o 


Assumption 

Assumption 

3a;  :  C.Pr 

Heap  condition  1 

S;  A  h 
Above 
S;  A  h  S'p 

S;  A  h  S'p  and  heap  well-typed 

By  rule  E-Call 
No  rule  for  active  Call. 


Case  T-Spawn 

So  e  =  spawn  {k  ■  o.m{k  ■  o)). 


S;  A^;  \-  p[-,Sp  Assumption 

■;  S;  A;  Ot;  —  h  spawn  {k  ■  o.m{k  ■  o))  :  3_  :  C^. immutable  ■  Od@Sd  \  0|  — 

Assumption 

o  :  C  E'E  o  :  C  E  S  mtype(C,  m)  =  Va;  :  C.P  ^  E 
■;S;  A°^  hot  [o/this][o/J]P 


o,oE  dom{H) 
o,oE  dom(S'p) 

{k'  ■  o,k  ■  o}  <E  Sp 
k  <  k' ,k  <  k' 

H,  Sp\k  ■  o,k  ■  o\-  [o/this][o/  f]P 


Inversion  of  only  typing  rule. 

Heap  condition  1 

E;AS  Sp 
Above 
S;  A  h  S'p 

E;  A  \-  Sp  and  heap  well-typed 
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(X,  H ^  ^6, 


By  rule  E-Spawn 
No  rule  for  active  Spawn. 


not-active(e) 

Rule  works  for  a  =  o 


Case  T-Unpack-Wt 

So  e  =  unpack^vt  k  ■  o@s  in  62- 


S;  A^;  \-  H;Sp  Assumption 

■;S;(A,A');Wt;-h  unpack^,  k  ■  o@s  in  e'  :  i?  \  0|—  Assumption 

(o  :  C)  e  S  VTC  C  S 

■;S;  A  \-£  [o/this][o/ f]P  mtype(C,  m)  =  Vx  :  C.P  3x  :  C.Pr 
forqets{Pr)  =  P^ 


Inversion  of  only  typing  rule 

P-oeSp  S; A  h  S'p 

o  G  dom(iJ)  S;AhS'p 

k  <  k'  From  S;  A  h  S'p 

Subcase:  readonly(/c) 

k  =  immutable  implies  C{..  .)@s  e  H  ox  C{. .  .)@unpacked(s)  g  H 

From  heap  condition  4.c  and  <.  /c  =  pure  implies  o  ^  C{. .  .)@s  E  H 

From  heap  conditions  4.c,  2  and  3. 

a-H-  {e,Sp)^a'-H'-{e\S'p)-r 

By  rule  E-Unpack-R-Wt 

Only  not-active(e)  can  be  derrived,  and  we  can  step  when  a  =  o. 

Subcase:  writes(/c) 

k  =  share|full|unique  implies  C{. .  .)@s  g  H 


Heap  condition  4.c. 

k'  eSp  k<k'  S;  A  h  S'p 

a;H;  {e,  Sp)  ^  a';  H';  {e' ,  S'pYX 

By  rule  E-Unpack-RW-Wt 

Only  not-active(e)  can  be  derrived,  and  we  can  step  when  a  =  o. 


Case  T-Unpack 

So  e  =  unpack^-  k  ■  o@s  in  62- 

S;  A^;  \-  p[]Sp  Assumption 

■;  S;  (A,  A');  —  h  unpack^-  k  ■  o@s  in  e'  :  i?  \  0|  — 

Assumption 

/c  =  unique  I  full  I  immutable  (o  :  C)  g  S  ■;  S;  A  /c  ■  o@s 
£  =  emp|ot  ■;  S;  A',  [o/this]\Wc{s,  k)]  £]  k  ■  o@s  \-  e'  :  E\u!\- 

Inversion  of  only  typing  rule 
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k'  ■  o  E  Sp 
o  G  dom(iJ) 
k<k' 

Subcase:  readonly(A;) 

k  =  immutable  implies  C{. .  .)@s  e  if  or  o 
a-H-  {e,Sp)^a';H';{e',S;y,r 


S;  A  h  S'p 
S;  A  h  S'p 
From  S;  A  h  Ap 

C{. .  .)@unpacked(s)  g  H 

From  heap  condition  4.c  and  <. 

By  rule  E-Unpack-R 


Only  not-active(e)  can  be  derrived,  and  we  can  step  when  a  =  o. 
Subcase:  writes(A;) 

k  =  full|unique  implies  o  h- >  C{. .  .)@s  G  H 


Heap  condition  4.c. 

k'  eSp  k<k'  S;  A  h  S'p 

a;H;  {e,Sp)  ^  a'-H'-{e\S'p)-r 

By  rule  E-Unpack-RW 

Only  not-active(e)  can  be  derrived,  and  we  can  step  when  a  =  o. 


Case  T-Pack 

So  e  =  pack  o  to  s'  in  62- 


S;  A^;  \-  H;  Sp  Assumption 

■;  S;  (A,  A');  k  ■  o@s  h  pack  o  to  s'  in  e'  :  i?  \  {of}\—  Assumption 

forget£-(/c  ■  o@s)  =  k  ■  o@$ 

k  =  immutable  |  pure  implies  s  =  s'  ■;  S;  A',  k  ■  e' :  E  \  0|- 

localFields(C)  =  /  :  C  (o  :  C)  g  S  ■;  S;  A  [o/tf A]invc(s,  k) 

No  temporary  permissions  for  o.f  in  A' 


Subcase:  writes(/c) 
oe^  C{. .  .)@unpacked(/c)  g  H 
o’s  fields  satisfy  [o/tfA]invc(s,  k) 

k'  ■  o  E  Sp 

a-H-  {e,Sp)^a'-,H'-,{e',S'p)-,r 

Only  not-active(e)  can  be  derrived. 
We  can  step  when  a  =  o. 

Subcase:  readonly(/c) 
oe^  C{. .  .)@unpacked(s)  g  H 
o’s  fields  satisfy  [o/t/iA]invc(s,  k) 

k'  ■  o  E  Sp 

a-H-  {e,Sp)^a'-,H'-,{e',S'^)-,r 


Inversion  of  only  typing  rule. 

Heap  condition  3 

Above  and  heap  condition  4.d. 

S;  A  h  Ap 

By  rule  E-Pack-RW 

Heap  condition  3 

Above  and  heap  condition  4.d. 

S;  A  h  S'p 
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By  rule  E-Pack-R 

Only  not-active(e)  can  be  derrived. 

We  can  step  when  a  =  o. 

Case  T- Atomic 

e  =  atomic  (ci) 

S;  A^;  \-  H^Sp  Assumption 

■;  S;  A;  M  h  atomic  (ei)  :  3a;  :  C.P'  \  uj\u'  Assumption 

■;  S;  A;  wt;  m  h  ei  :  3a;  :  C.P  \  uj\u'  f  orget£-(P)  =  P' 

Inversion  of  only  typing  rule 

a-H-  {e,Sp)^a'-H'-{e\S';)-r 

By  rule  E-Atomic-Begin 

Only  active(e)  can  be  derrived. 
e  can  step  when  e  =  o 


Case  T-Inatomic 

e  =  inatomic  (ci) 

S;  A^;  h  H]  Sp  Assumption 

■;  S;  A;  M  h  inatomic  (e)  :  3a;  :  C.P'  \  u\u'  Assumption 

■;  S;  A;  Wt;  m  h  e  :  3a;  :  C.P  \  cli\u'  f  orget£-(P)  =  P' 

Inversion  of  typing  rule. 

Subcase:  ei  is  a  value  It  is  only  possible  to  derrive  active(e). 

When  a  =  •,  we  can  step. 
a-H- 

Subcase:  ei  is  not  a  value. 

62  can  take  a  step 

It  is  only  possible  to  derrive  active(e). 

When  a  =  •,  we  can  step. 
a;P;  (e,  ^  a';  P';  (e',  T' 


By  rule  E-Atomic-Exit 
Induction  hypothesis 

By  rule  E-Inatomic 


Case  T-Read 
So  e  =  k  ■  o.fi. 

S;  A^;  \-  H-,Sp  Assumption 

■;S;  A;£^;m  h  /c  ■  o  :  3a;  :  C.[a;/o]P  \  ^u  Assumption 

rea6on\y{ku)  implies  readonly(/c)  ■;  S;  A  P  localFields(C)  =  /  :  C 

Inversion  of  typing  rule 
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o  ^  C{. . . ,  fi  =  ki  ■  Oi, . .  .)@S 
k  <  ki 

Subcase:  writes(A;„) 

S  =  un  packed  (A;„) 

Only  not-active(e)  can  be  derrived. 

We  can  step  when  a  =  o 

a-H-  {e,S,)^a'-H'-{e\S';)-r 

Subcase:  readonly(A;^,) 

S  =  unpacked(s) 

k  =  immutable|pure 

Only  not-active(e)  can  be  derrived. 

We  can  step  when  a  =  o 

a-H-  {e,Sp)^a'-,H'-,{e',S;)-,r 


Heap  condition  3 
Heap  condition  4.d 

Heap  condition  3 


By  rule  E-Read-RW 

Heap  condition  3 
Above 


By  rule  E-Read-R 


Case  T-Eet 

So  e  =  let  a;  =  Cl  in  62- 


S;  A^;  \-  H-,  Sp  Assumption 

■;  S;  (Ai,  A2);  u  h  let  a;  =  Ci  in  62  :  i?  \  cci  U  U2\H  Assumption 

S;A2,Ph^  P' 

■;  S;  Ai;  M  h  Cl  :  3a;  :  T.P  \  a;i|M2  a;  :  C;  S;  P';  M2  E  62  :  Pcc;2|m^ 

No  permissions  for  Ui  in  A2 

Inversion  of  typing  rule 

Subcase:  ci  is  a  value. 

ei  =  k  ■  o  No  other  values. 

k'  ■  o  G  Sp  k  <k' 

By  inversion  of  T-Eoc  and  S;  A  h  S'p 
o  G  H  Heap  condition  1 

Only  not-active(e)  possible  when  ci  is  a  value. 

We  can  step  when  a  =  o. 
a-,H-,  {e,Sp)^a'-,H'-,{e\S'pfr 

By  rule  E-Eet-V 


Subcase:  ei  is  not  a  value. 

Cl  is  well-typed 
Cl  must  step 

If  active  (e)  then  active (ci) 

Cl  must  step  when  a  =  • 

If  not-active(e)  then  not-active(ei) 
Cl  must  step  when  a  =  o 


Above 

Induction  hypothesis 
active  for  Eet 
I.H 

not-active  for  Eet 
I.H 
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ci,  H ^  ^6,  Sp^ 


By  rule  E-Let-E 


Case  T-New 

So  e  =  new  C{k  ■  o). 

■;  S;  A;  M  h  new  C{k  ■  o)  :  3x  :  C.unique  ■  x@s  \  0|m 
■;S;Ah^  [o/7]P  ^CS  init(C')  =  (a/TC.P,  s) 
P;^,h[o/7]P 


k  ■  o  G  Sp 
k  <k' 

We  can  only  derrive  not-active(e) 

We  can  step  when  a  =  o 

a-H-  (e,^p)^a';P';(e',P;);T' 


Assumption 
Assumption 
Inversion  of  typing  rule 

Heap  condition  4.c. 

S;  A  h  S'p 
S;  A  h  Pp 

By  rule  E-New-E 


Case  T-Assign 


S;  A^;  h  P;  S'p  Assumption 

■;  S;  A,  A';  £■  k'  ■  o'^s'  h  o'./'  ■=k-o:3x'  :  Ci.P'  ®  [o'.fi/x\P  \  {oi.f}\k'  ■  o'@s' 


localFields(C")  =  f  ■.  C  (o' :  C")  e  S  writes(A;') 
■;  S;  A  A;  ■  o  :  3a;  :  Q.P  ■;  S;  A'  [o'.7/a;']P' 

o  C(. .  .)@unpacked(A;')  g  H 
K  e  Sp 
ki  A  ki 

Only  not-active(e)  can  be  derrived. 

We  can  step  when  a  =  o 
a-H-  (e,^p)^a';P';(e',^;);T' 


Assumption 


Inversion  of  typing  rule. 
Heap  condition  3 
Heap  condition  4.d 
Heap  condition  4.d 


By  rule  E-ASSIGN-E 
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